Win10 Pro 20H2, custom system built Feb 2020
GW Elite 2.2.291 - Ethernet, no Wi-Fi
This is a report of inconsistencies I’ve been following for a while in GW’s behavior while handling network dependent Defender components. It should be emphasized that the behavior •does not break• any of the processes discussed.
FYI: There are currently two Defender Platform folders and their timestamps…
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2011.6-0 - 12/3/2020
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2101.9-0 - 2/11/2021
It is common to see two or three version folders under \Platform, for which a full understanding eludes me and well above my pay grade.
Microsoft Malware Protection Command Line Utility - mpcmdrun.exe
Note: Every four hours my crafted task “mpcmdrun.exe -signatureupdate” runs in Task Scheduler.
There are five entries under Inactive Apps. There is no entry under Active Apps.
c:\programdata\microsoft\windows defender\platform\4.18.1911.3-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2003.8-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2004.6-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2005.5-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2010.7-0\mpcmdrun.exe
Graph reveals the last time stamp is 6/3/20 for 4.18.2005.5-0. This one has a grey, two arrows icon, the others a black shield. A record for 4.18.2010.7-0 does not exist in Graph. All are First Network Activity.
Nirsoft’s LastActivityView logs events for the current Platform, data here pulled from the exported CSV file.
2/12/2021, 11:02:01 AM, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\Platform\4.18.2101.9-0\MpCmdRun.exe
Antimalware Service Executable - msmpeng.exe
Under Active Apps there is one entry.
c:\programdata\microsoft\windows defender\platform\4.18.2011.6-0\msmpeng.exe
Under Inactive Apps, there is one entry;
c:\programdata\microsoft\windows defender\platform\4.18.1911.3-0\msmpeng.exe
In Graph, the last times stamp for 4.18.1911.3-0 is 2/7/20. For 4.18.2011.6-0, 2/5/21. Both are First Network Activity. The former has a grey, two arrows icon, the latter a white square with a blue bar.
From LastActivityView.
2/11/2021, 4:10:09 PM, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\Platform\4.18.2101.9-0\MsMpEng.exe
Microsoft Network Realtime Inspection Service - NisSrv.exe
There are two entries under Active Apps, and four under Inactive Apps.
c:\programdata\microsoft\windows defender\platform\4.18.2011.6-0\nissrv.exe
c:\programdata\microsoft\windows defender\platform\4.18.2101.9-0\nissrv.exe
Inactive: 4.18.2007.8, 4.18.2008.9, 4.18.2009.7, 4.18.2010.7.
From LastActivityView.
2/11/2021, 4:10:13 PM, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\Platform\4.18.2101.9-0\NisSrv.exe
While GW’s handling of NisSrv.exe seems to be OK, the others are not.
A short while ago, Microsoft abandoned the previous paths
C:\Program Files\Windows Defender
C:\Program Files (x86)\Windows Defender
for storage of Defender resources.
Other security centric layers, like Malicious Software Removal Tool and Windows Defender SmartScreen, escape handling issues by virtue of their location in \System32. Ditto for Host Process for Windows Services and NT Kernel & System for whatever security support they might provide.
I understand the formidable challenge the Windows Defender version paths present to network utilities and tools developers, I’m hoping the GW team can eventually get all this squared away.
While security isn’t affected, none of the described behavior breaks anything, it would be nice for GW’s otherwise superb monitoring and logging of these critical processes to be current and accurate.
Cheers.